terraform-provider-azurerm: Azure Linux Web App doesn't have callback route?

Is there an existing issue for this?

I have searched the existing issues

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.40.0

AzureRM Provider Version

3.47.0

Affected Resource(s)/Data Source(s)

azurerm_linux_web_app

Terraform Configuration Files

provider.tf
provider "azurerm" {
  features {}
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.47.0"
    }
  }
}


backend.tf

terraform {
    backend "azurerm" {
        resource_group_name   = "tf_rg"
        storage_account_name  = "tf_sa"
        container_name        = "tfstate"
        key                   = "example.tfstate"
    }
}

main.tf
# Run the script to get the environment variables of interest.
# This is a data source, so it will run at plan time.
# this bit of code says a lot, imho.
data "external" "env" {
  program = ["sh", "-c", "jq -n 'env | {ARM_TENANT_ID,ARM_SUBSCRIPTION_ID,ARM_CLIENT_ID,ARM_CLIENT_SECRET}'"]
}

# Define a Resource Group for an Azure App
resource "azurerm_resource_group" "example_rg" {
  name     = "${var.app_name}-rg"
  location = "West Europe"
}

# Define an Azure App Service Plan for Linux
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan
resource "azurerm_service_plan" "example_service_plan" {
  name                = "${var.app_name}-serviceplan"
  location            = azurerm_resource_group.example_rg.location
  resource_group_name = azurerm_resource_group.example_rg.name
  os_type             = "Linux"
  sku_name            = "B1"
}

# Define an Azure Web App
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/azurerm_linux_web_app
resource "azurerm_linux_web_app" "example_wa" {
  name                = "${var.app_name}"
  resource_group_name = azurerm_resource_group.example_rg.name
  location            = azurerm_service_plan.example_service_plan.location
  service_plan_id     = azurerm_service_plan.example_service_plan.id


  # Enable a System Managed Identity for the Azure Web App
  identity {
    type = "SystemAssigned"
  }

  # iisnode
  site_config {
    application_stack {
      node_version = "16-lts"
    }
  }

  # Configure the Azure Web app with your AAD Auth Provider (see web.config)
  auth_settings_v2 {
    auth_enabled                  = true
    require_authentication        = true
    default_provider              = "AzureActiveDirectory"
    unauthenticated_action        = "RedirectToLoginPage"

    # our default_provider:
    active_directory_v2 {
      tenant_auth_endpoint        = "https://login.microsoftonline.com/${data.external.env.result["ARM_TENANT_ID"]}/v2.0"
      client_secret_setting_name  = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" # should be used instead of ARM_CLIENT_SECRET
      client_id                   = data.external.env.result["ARM_CLIENT_ID"]
      allowed_groups              = var.app_allowed_groups
    }

    # use a store for tokens (az blob storage backed)
    login {
      token_store_enabled = true
    }
  }
}

# Output the Azure Web App URL
output "webapp_url" {
  value = "https://${azurerm_linux_web_app.example_wa.default_hostname}"
}


variables.tf
variable "app_name" {
  description = "The name of the Azure Web App to create."
  type        = string
}
variable "app_allowed_groups" {
  description = "The list of allowed Group Names for the Default Authorisation Policy."
  type        = list(string)
}

Debug Output/Panic Output

None, but expected some maybe?

Expected Behaviour

There should be a sensible callback url defined here in the portal in App Services > Example > Authentication > Identity Provider > Microsoft (click the link for the App Registration)

Actual Behaviour

Because there isn’t the correct redirect URI in the app registration created by active_directory_v2, the Authentication provider doesn’t work.

When I visit my deployed site, I consent to the app looking me up on Graph, and after that I am redirected to e.g. https://example.azurewebsites.net/.auth/login/aad/callback.

This results in the following screen:

The redirect URL it is trying to send me to is correct (that is, I have ported this solution from auth_settings.active_directory, which worked, and that was the redirect URI. Now, I need the allowed_groups feature, so I’m upgrading to auth_settings_v2.active_directory_v2)

Steps to Reproduce

terraform apply with the code above and a suitable terraform.tfvars file (see provided variables.tf)

Important Factoids

No response

References

No response

About this issue

Original URL
State: open
Created a year ago
Comments: 17

Most upvoted comments

For context, I am personally having this issue with the custom_oidc_v2 setting. Same issue. Redirect uris registered with my OP, I can get auth to work in curl commands using our client id and secret, but the easy auth/authz/authn module that this auth_settings_v2 corresponds to 500 errors on redirect to callback (and shows no trace of the error in the logs either).

mikeam565 on Mar 17, 2023

Hopefully fixed in #21113 /next release!!🤞

aristosvo on Mar 24, 2023

I think (2) is closer to correct than (1). In (1), you didn’t have the redirect URL registered in Azure AD. In (2), since it was registered, AD redirected you back to your app using that URL, but for some reason, that callback route doesn’t seem to work. This is where I have been stuck and the documentation on easyauth or authn/authz (whatever they call the auth module) is very unclear.

mikeam565 on Mar 16, 2023